Sebastian Harl uploaded new packages for clamav which fixed the following security problems: CVE-2008-6680, DSA-1771-1, Debian bug #523016 Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. CVE-2009-1270, DSA-1771-1, Debian bug #523016 Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. CVE-2009-1371, DSA-1771-1 Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. Debian bug #535881 The parsing engine can be bypassed by manipulating CAB, RAR, ZIP archives in a "certain way" that the Clamav engine cannot extract the content but the end user is able to. For the etch-backports distribution the problems have been fixed in version 0.95.2+dfsg-2~bpo40+1. The lenny-backports distribution does not include clamav packages and, thus, is not affected. Upgrade instructions -------------------- If you don't use pinning [1] you have to update the package manually via "apt-get -t etch-backports install <packagelist>", where <packagelist> is the list of your installed packages affected by this update. [1] http://backports.org/dokuwiki/doku.php?id=instructions We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=etch-backports Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature